Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Is logoff feature necessary

from [intel96] Network Security [Permanent Link]
Subject: Is logoff feature necessary
Date: Thu, 04 May 2006 00:07:48 -0400 
Having a logoff button is an important feature so that the session will 
terminated correctly.  I tested my online banking portal with my account to see 
what would happen if I did not used the logoff feature.

My bank uses 6 cookies to tracking my access to the portal.  Each cookie 
expires at the end of the session.  When I shut my Firefox browser using the 
"x" all the cookies were saved for the session, but they did not work to get 
back into the portal.  

I logon to my banking portal and edited the cookies expiration dates for 24 
hours in the future.  I than bookmarked my current page and shut down my 
browser using the "x."  When I opened my browser I selected my banking bookmark 
and up popped by banking information.  I tried this exercise every 5 minutes 
for an hour and it worked each time.  I than left the browser closed for 
30-minutes, but I was still allowed back in to the session.  I tried the same 
test at 1 hour and I could not get back into the session.  The bank was also 
keeping some type of last login information in one of the cookies because my 
login timestamp never changed until the session expired at the server.  

The funny thing here is that if I do not have any activity within my banking 
portal my session will expired within 15 minutes, but if I play with the cookie 
timestamps I can stay offline for 30 minutes and still get back into the 
session.  

One thing the logoff button should do is clear the cookies that were sent to 
the browser.  The developer should also look for the browser close event to 
clear the cookies even if that event comes from the "x" or the exit in the menu.

Intel96









-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online 
despite security executives' efforts to prevent malicious attacks. This 
whitepaper identifies the most common methods of attacks that we have seen, 
and outlines a guideline for developing secure web applications. 
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
--------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  ual Factor/Adaptive Authentication, Casey DeBerry
Next by Date:  Re: [WEB SECURITY] Java -noverify PoC, Stephen de Vries
Previous by Thread:  RE: Is logoff feature necessary, Auri Rahimzadeh
Next by Thread:  RE: Is logoff feature necessary, Auri Rahimzadeh
Indexes:  [Date] [Thread] [Top] [All Lists]